Working Intel CET Bits Now Land In GCC8
A few days back I wrote about Intel's work on Control-flow Enforcement Technology beginning to land in GCC. This "CET" work for future Intel CPUs has now landed in full for GCC 8.
The bits wiring up this control-flow instrumentation and enforcement support are now all present in mainline GCC SVN/Git for next year's GCC 8.1 release.
As explained in the earlier article, "Control-flow Enforcement Technology aims to prevent return-oriented programming (ROP) and call-jump-oriented programming (COP/JOP) attacks. The Intel-developed technology tries to prevent control-flow attacks by the concept of having a shadow stack to keep track of the expected return addresses and will raise faults if the return addresses does not match what is expected by the shadow stack. CET also has indirect branch tracking for stopping jump/call oriented attacks."
Among the switches now for using Intel CET with supported CPUs include -finstrument-control-flow, -mcet, -mibt and-mshstk. Unfortunately, no Intel CPUs yet in the market support this security technology.
More details on the tech via this new commit.
The bits wiring up this control-flow instrumentation and enforcement support are now all present in mainline GCC SVN/Git for next year's GCC 8.1 release.
As explained in the earlier article, "Control-flow Enforcement Technology aims to prevent return-oriented programming (ROP) and call-jump-oriented programming (COP/JOP) attacks. The Intel-developed technology tries to prevent control-flow attacks by the concept of having a shadow stack to keep track of the expected return addresses and will raise faults if the return addresses does not match what is expected by the shadow stack. CET also has indirect branch tracking for stopping jump/call oriented attacks."
Among the switches now for using Intel CET with supported CPUs include -finstrument-control-flow, -mcet, -mibt and-mshstk. Unfortunately, no Intel CPUs yet in the market support this security technology.
More details on the tech via this new commit.
Add A Comment